A tale of disappearing items, late authenticators, and few concrete answers.

When I first heard that a number of Diablo III players were complaining loudly that their Battle.net accounts were being hacked, and their in-game items and gold stolen wholesale, I assumed that it was a relatively small problem being blown up in traditional Internet message board fashion. I generally accepted Blizzard's official statement that the "extremely small" number of complaints they had received were mainly the result of standard social engineering hacks like hidden keyloggers and phishing scams.

Then I logged in to my Diablo III account earlier today and found that I had become one of those careless victims, my character stripped bare and my gold balance drained.

It's not even like I was a prime target for an attack. My level 14 Demon Hunter wasn't exactly festooned with high-end weaponry and armor, thanks to a play schedule limited heavily by recent travel and E3 preparations. But still, I was somewhat proud of the magical crossbow and relatively hefty shield I had mustered up, as well as a decent set of armor mostly purchased from an upgraded blacksmith. Now, all those items were gone, except for, oddly enough, a Superior Belt with an armor rating of 34 that was still wrapped around my waist. I still had all my level 14 abilities and statistics, as well as my quest progress. But without my gear and gold, I felt like I was starting over from scratch.

After putting in a call to Blizzard support and being warned of a 40-minute estimated wait time, I took the prerecorded hold voice's advice and scanned my computer for viruses. After AVG Free and Malwarebytes both confirmed my system was clean, I changed my password just to be on the safe side. This required logging in using the mobile authenticator that I had signed up for last Friday, a precaution I took after first hearing about the hacking complaints, figuring it was better to be safe than sorry.

After spending an hour on hold, a chipper Blizzard account representative came on the line and asked for my first and last name and e-mail address. I explained the problem of the missing loot, and he assured me that he'd probably be able to help me.

He brought up my account and explained that the restoration process for Diablo III was slightly different from that for World of Warcraft. He couldn't simply give me back the items and gold I had lost, he said, but he could perform a full account rollback to one of a number of server snapshots that are taken every 24 hours or so. This would eliminate any game progress I had made since the snapshot was taken, which wasn't a practical issue for me because I hadn't actually played the game after I discovered all my stuff was missing.

The last such snapshot that Blizzard had on file for my account was from Wednesday, May 23rd, showing me with a full set of gear and just shy of 4,000 gold. I was relatively sure that I hadn't logged into the game that day, but after a week's time had passed, I can't really be sure. In any case, it leaves a small window between the last time I was confirmed to have my gear and the time I installed the mobile authenticator on Friday in which I could have been hacked. Guess I shouldn't have put off increasing my security for so long (I didn't actually check the status of my Diablo III gear on Friday, using the Web interface to sign up for and test the authenticator).

When I pressed the rep for any details on how this account compromise might have happened, he said there was no way to be sure, and gave me the same old song and dance about keyloggers and viruses being the primary culprits. When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed. This seems like a pretty limited virtual crime-scene investigation tool, considering this problem happened in a game in which every player is online and every action, authorized or not, is presumably logged on a server somewhere. Then again, it's possible the capability exists, but the information is provided on a strict need-to-know basis to protect my privacy.

What's more, he admitted that there was a current issue with Blizzard's systems that was stopping him from seeing certain logins from other locations in his records. "So it could be a case like that where the account was logged into from somewhere else and we just can't see it," he said. When I brought up my recently activated mobile authenticator, he said that the compromise must have happened just before I set it up, and that the two-step verification system was "not 100 percent secure, but one of the most secure methods of protecting your account."

From that point, actually getting my loot back was a relatively painless process. The phone rep directed me to a Blizzard tech support web page where I could submit a ticket with a special keyword that would bump me into a priority queue for account restoration. He warned me that all Battle.net accounts are limited to two such rollbacks over the lifetime of the game, and so warned me to be extra careful with my account details from here on out. Within a half-hour of hanging up, my account was restored and my character was again standing in full regalia, ready to take on the demonic hordes.

It wasn't until I had been through this entire process, and I was talking about potential security threats with an expert, that I realized that my password security might not have been as airtight as I thought. The password I've been using for my Battle.net account was the same one I used to use on services such as Twitter and PSN before they were potentially compromised through well-publicized hacking scandals. I've updated most of my crucial accounts with much more secure, unique passwords since then, but I'd forgotten to change my Battle.net password in that time (and simply forgot that the old password was in any way insecure).

This seems like the most likely security hole, in hindsight, and one that could have been easily closed had I been more vigilant, or quicker to sign up for Blizzard's two-step authentication service (a measure, it should be noted, that's more secure than those offered by most banks). Still, I'll probably never be completely sure how I briefly lost all my progress in Diablo III, and the whole affair has made me quite a bit more paranoid about my computer security. I can only hope that the experience serves as a cautionary tale for me and others going forward.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

I removed the auth token from my account, because the damned thing was more of a pain than it was worth; every time I turned around I was having to call Blizzard because some non-system update had caused it to think my phone had changed too much, or was out of sync, or some other retardedness.

Of course, my password is as long as Blizzard will allow, unique, and random; password wallets ftw.

I would actually rather see something active; log in, get a keycode sent to a phone number, put that in to complete the login process.

I don't play this game, or any game of the same kind, but it was an interesting read. I just don't understand how you get this stuff taken from your acc, though?! Can anyone explain this to me? Can you transfer to other accounts? If so, how is that so non-trackable?

There's some pretty good advice in this topic from the OP, and he links to other, similar topics discussing the same subject matter. Some replies to the thread have been... less than stellar, you could say, but hey, it's a forum. And a B.net forum, at that.

Personally, I have a mobile authenticator on my account since several years ago when my WoW account was hacked, and my password on B.net is unique to it: I use it nowhere else. The password being of decent length completes the trifecta of good security practices when it comes to B.net accounts.

i find it so interesting that past huge data thefts could lead to compromised accounts on a service like battle.net. it's easy to try the passwords on a the email addresses associated with the accounts found in the stolen data, but then to go and try it with other services? you could slim down the lists by cross-referencing different data sets, but who's got the time to go through a dataset and try out the emails and password combos for diablo III accounts? i know, criminals. how much money can they possibly be making with this scheme?

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

I am not a Blizzard apologist by any stretch of the imagination but.....

As a writer on one of the most popular tech websites in the world you should really think about the content you are publishing more. First you attack the game using incorrect examples of diablo 2 game play culminating in a quite mediocre review of the game. Then you flame Blizzard for doing what every online rpg game practically has done for the last decade (balance hot-fixes) burning with an epic fury which normally would lead me to believe the inferno nerfs affected you personally. Then this.."article" which exposes that your highest level character is 14, shit man you could have done the review just from the beta. However the icing on the cake and what drove me to write this post was your obnoxiously misleading headline hundreds of thousands will see without reading the drivel behind the link. You got hacked because your password standards were piss poor plain and simple. You say that your authenticated was late yet fail to explain how so. As far as I can tell from the article you signed up for it, and got it on Friday. (which was too late to avoid being hacked).

You are leading people to believe through your sensational trolling headlines that Diablo 3 is insecure and Blizzard is doing a poor job when the truth is far more positive for the fastest selling PC game of all time.

Ceasar please fucking get Ben back , pay him more or whatever , this guy is just no good. Nothing personal Kyle.

I am not a Blizzard apologist by any stretch of the imagination but.....

As a writer on one of the most popular tech websites in the world you should really think about the content you are publishing more. First you attack the game using incorrect examples of diablo 2 game play culminating in a quite mediocre review of the game. Then you flame Blizzard for doing what every online rpg game practically has done for the last decade (balance hot-fixes) burning with a burning fury which normally would lead me to believe the inferno nerfs affected you personally. Then this.."article" which exposes that your highest level character is 14, shit man you could have done the review just from the beta. However the icing on the cake and what drove me to write this post was your obnoxiously misleading headline hundreds of thousands will see without reading the drivel behind the link. You got hacked because your password standards were piss poor plain and simple. You say that your authenticated was late yet fail to explain how so. As far as I can tell from the article you signed up for it, and got it on Friday. (which was too late to avoid being hacked).

You are leading people to believe through your sensational trolling headlines that Diablo 3 is insecure and Blizzard is doing a poor job when the truth is far more positive for the fastest selling PC game of all time.

Ceasar please fucking get Ben back , pay him more or whatever , this guy is just no good. Nothing personal Kyle.

I didn't get that at all from the headline. People being hacked is a known issue; whether it's their own fault or not. From this article and the title, I've seen more balanced view and procedures of what happened and what to do if your account gets hacked. That's a valuable piece of information. If anything this article is praising Blizz. I've seen many, MANY online games that just shrugs and says "sucks to be you" when things like this happens.

I don't play this game, or any game of the same kind, but it was an interesting read. I just don't understand how you get this stuff taken from your acc, though?! Can anyone explain this to me? Can you transfer to other accounts? If so, how is that so non-trackable?

I suspect the main issue here is that although it's theoretically trackable, acquiring and retaining the relevant information would require huge amounts of back-end infrastructure, and Blizzard has decided to take the much more affordable option of 24-hour character snapshots.

What interests me most is that despite the fact that a lot of people will lie through their teeth when they've been victims of their own stupidity (there seems to be a huge number Diablo players who are IT security specialists with a new computer and an authenticator that have never visited any websites ever), there still seems to be an awful lot of ordinary people with ordinary browsing habits who have been compromised.

I think it's a huge mistake (which so many people seem so quick to make) to underestimate the deviousness and technical expertise of the people doing the hacking. Because D3 allows you to buy your way to success (for weird values of success to be sure), the motivation for gold-buyers and therefore gold-sellers is significantly higher than in WoW. I've no doubt that BNet accounts have been quietly being harvested from WoW and SC2 players ever since the RMAH was announced.

An yes, you'd damn right I have a keychain authenticator... ever since a friend of mine lost his WoW account a few years ago

There's really no one to blame when you "get hacked" but yourself nowadays.

Oh baloney. You're assuming that the target is perfectly secure. Given all the reports of SQL Injection and other breaches, that doesn't fly.

Is the service always to blame? Of course not. But assuming the user is always to blame is wrong.

You'll have to explain to me how a SQL injection attack leads to me getting hacked and how I couldn't have prevented it easily. I drew up 2 posts and deleted them both when I answered my own questions.

Easy solution to this problem: two factor authentication. As well as a "Wait a minute!" by the game servers when it sees that you are accessing from an IP address half-way or more across the world.

Easier solution - have a 2 factor that isn't wildly less convenient than Google's. There is no reason to make it 8 digits entered within a 10 second window, expiring every single week. Maybe they could even remember credentials as a system-wide service, instead of endlessly verifying the sucker that bought TWO Blizzard games.

(Here's another authenticator scheme - have my mobile device, that's always on the same LAN as my gaming PC, authenticate itself via radio waves. My mobile runs a more modern sandbox OS than the desktop, and doesn't have to back up its authentication seed to the keyloggered PC.)

There's really no one to blame when you "get hacked" but yourself nowadays.

I disagree absolutely. The only people who should be blamed are the people doing the compromising in the first place. Raged up haters blaming Blizzard and inventing conspiracy theories about unannounced security breaches are just as bad as fanboys smugly posting "authenticator" in threads from people with compromised accounts.

Blizzard should (and I believe are) doing almost* as much as they can. Players should definitely get themselves an authenticator, but only because the world is full of evil bastards, not because they're idiots or because Blizzard are incompetent.

*Aside from opening up an entire 'security division' devoted to identifying and analysing BNet-specific threats... and if they've already got one, I wish they'd release their findings periodically

That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

Because the shortcomings should be hidden under the rug; and we can pretend they don't exist?

No, because every other article from Kyle has been completely one-sided in its presentation of the game as a steaming pile of crap. Because it seems he showed a little bit of restraint here, when he could have continued his previous path of "look at this completely broken game and how useless Blizzard is."

Its not perfect, since it still leads you to believe he is innocent until two thirds of the way through when he finally admit that he never changed his password after the PSN hack, which got an incredible MONTH of exposure on Ars for the depth and severity of its breach. It is an improvement though.

I am not saying hide the flaws, but for once Kyle hasn't acted like a negative aspect of his experience is a flaring flaw in Diablo. So I was thanking him.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

There's really no one to blame when you "get hacked" but yourself nowadays.

I disagree absolutely. The only people who should be blamed are the people doing the compromising in the first place. Raged up haters blaming Blizzard and inventing conspiracy theories about unannounced security breaches are just as bad as fanboys smugly posting "authenticator" in threads from people with compromised accounts.

Blizzard should (and I believe are) doing almost* as much as they can. Players should definitely get themselves an authenticator, but only because the world is full of evil bastards, not because they're idiots or because Blizzard are incompetent.

*Aside from opening up an entire 'security division' devoted to identifying and analysing BNet-specific threats... and if they've already got one, I wish they'd release their findings periodically

I mean all you need to do is get something more secure than a PW. The authenticator app is free and basically ensures it won't be your fault when shit happens. Or spend $7 or so for the keychain. People complain about the price, but the games was $60+ and all the time they spend in it? Unless they don't value their time, there's no excuse.

I don't play this game, or any game of the same kind, but it was an interesting read. I just don't understand how you get this stuff taken from your acc, though?! Can anyone explain this to me? Can you transfer to other accounts? If so, how is that so non-trackable?

I suspect the main issue here is that although it's theoretically trackable, acquiring and retaining the relevant information would require huge amounts of back-end infrastructure, and Blizzard has decided to take the much more affordable option of 24-hour character snapshots.

What interests me most is that despite the fact that a lot of people will lie through their teeth when they've been victims of their own stupidity (there seems to be a huge number Diablo players who are IT security specialists with a new computer and an authenticator that have never visited any websites ever), there still seems to be an awful lot of ordinary people with ordinary browsing habits who have been compromised.

I think it's a huge mistake (which so many people seem so quick to make) to underestimate the deviousness and technical expertise of the people doing the hacking. Because D3 allows you to buy your way to success (for weird values of success to be sure), the motivation for gold-buyers and therefore gold-sellers is significantly higher than in WoW. I've no doubt that BNet accounts have been quietly being harvested from WoW and SC2 players ever since the RMAH was announced.

An yes, you'd damn right I have a keychain authenticator... ever since a friend of mine lost his WoW account a few years ago

Okay, aside from that, all I thought was that surely If you are MagicMaster69er and you have 4000 Gold, and then 4000 Gold is hacked and sent to Uberh4x0rBigdickman, isn't that pretty easy to just ban fuckstick haxor? Forgive my ignorance.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

Since when did people start to actively install malware?

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

Use a password locker program (KeePass, LastPass, etc), and use a different strong password for every single site. Not doing so at this point is just asking to have your accounts hijacked.

I will add to this.

For battle.net because it is a large target for hacking, I would recommend you using a separate email address for this service than you use for forums, email etc. you do not use this email address for anything but wow and other games you play. This will keep your email address that you use for forums and other correspondence/junk mail isolated.

Also if you don't feel like shelling out for password lockers, Get truecrypt. Create a small encrypted folder and put in a file that holds these passwords. Works like a charm.

That's really disappointing on Blizzard's part. With Rift, Trion uses a "coinlock" feature that locks your account from trading, mailing, and selling anything when you log in from a different IP. Doesn't stop you from playing and questing (if you happen to be playing with no access to email) but at least no one can rape your account of loot. Sounds like something Blizzard should implement too.

I don't play this game, or any game of the same kind, but it was an interesting read. I just don't understand how you get this stuff taken from your acc, though?! Can anyone explain this to me? Can you transfer to other accounts? If so, how is that so non-trackable?

Step 1: Hack a users accountStep 2: Join a game with another character(presumably also yours) and drop all the loot/gold.Step 3: Pick up loot with second characterStep 4: Profit

I bet there are other ways, but this one is simple enough(ex: use the auction system)

I am more pissed about the sever issues. Tried playing last night and couldn't connect at all. I can't wait until the next patch is released where it will presumably corrupt my installation(or something else, bad).

It was important that someone "in a position of trust" (Ars Gaming Editor) write to say 'hey, I got hacked too', it puts the problem in perspective.

People have weak passwords, it's a given. Account systems get hacked. If you use the same passwords on multiple accounts, then your two-factor (email address + password) credentials are now a single known value and can be used on 'popular' sites.

That's one line of reasoning, which Kyle specifically states "oh, I used the same password".

Yet other people have unique passwords for battlenet and still get hacked (thankfully, nobody with an authenticator is getting hacked, yet). There seems to be something other than 'lax password standards' at work here, and Blizzard are keeping quiet about it, and cheerfully dealing with the aftereffects of hacks rather than fixing some loophole in their system(s).

I don't know the answers -- the solution "get an authenticator (or Authenticator App, it's free)" is out there, but until people get bitten, it's a hassle they would rather not bother with.

Good article, 'it's out there, do something preventative for yourself', even if it is 'negative' about Blizzard's battle.net it's a very useful warning to everyone -- get a god-damned authenticator for your battle.net account, stat!

The authenticator isn't much of a hassle IMO. By default it only prompts you once a week or so, or if you log in from another computer I think. It's annoying, but that 10s is a lot less than the days/hours it takes to get unhacked.

i find it so interesting that past huge data thefts could lead to compromised accounts on a service like battle.net. it's easy to try the passwords on a the email addresses associated with the accounts found in the stolen data, but then to go and try it with other services? you could slim down the lists by cross-referencing different data sets, but who's got the time to go through a dataset and try out the emails and password combos for diablo III accounts? i know, criminals. how much money can they possibly be making with this scheme?

Lots and lots of money. They sell the gold and sell the items for more gold to sell. It's a lot easier than farming the regular way. Over the last few years most of Blizzard's CS incidents have transitioned to being account restorations after hacking. It's a huge problem. They use stolen credit cards to make the accounts they use to move the items around, which ends up being a huge cost to all MMOs in chargebacks and penalties. That's why they are all moving towards selling gold themselves, it's not just so they get a cut, but so that they can drastically reduce support and administrative costs.

Not saying this is the case here, but the game has seemed a bit buggy as well. I wonder what the chances are of some software glitches occasionally corrupting some character data. Although if that were the case, would Blizzard rather admit to that, or let people assume it's all down to users being the weak link in the security chain?

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in Pittsburgh, PA.